HubsInfo Network
Login or Register to remove ads! You're browsing our forum and website as a Guest meaning you can only see a portion of the forum in read-only mode.
  1. HubsInfo Network
  2. General discussions
  3. Servers and Networking [IT & Datacenter]
  4. PHP Security Best Practices
PHP MySQL Linux Material Design Web Hosting Online Games SimCity BuildIt

Pages: [1]

PHP Security Best Practices

  •   0 Replies
  •   71 Views

PHP Security Best Practices
« on: November 15, 2024, 04:10:22 PM »
PHP Security Best Practices


Disabling Dangerous PHP Functions

PHP has a lot of functions which can be used to crack your server if not used properly. You can set list of functions in /etc/php.d/security.ini using disable_functions directive:

To add the PHP functions to the PHP configuration using WHM:
Log in to WHM
Go to Home->Software->MultiPHP INI Editor.
Choose the Editor Mode tab.
From the drop-down list choose the PHP version.
In the configuration window that will be opened, search for “disable_functions”.

Ex.
--
asp_tags=Off
display_errors = Off
magic_quotes_gpc=Off
max_execution_time = 30
max_input_time = 60
max_input_vars = 1000
memory_limit = 128M
post_max_size = 8M
session.gc_maxlifetime = 1440
session.save_path = "/var/cpanel/php/sessions/ea-php72"
upload_max_filesize = 2M
zlib.output_compression = On
allow_url_fopen = Off
allow_url_include = Off
disable_functions="exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,show_source"
enable_dl = Off
file_uploads = On







Keep PHP, Software, And OS Up to Date
Restrict File and Directory Access







PHP based apps can face the different types of attacks. I have noticed the different types of attacks:

1. XSS - Cross-site scripting is a vulnerability in php web applications, which attackers may exploit to steal users’ information. You can configure Apache and write more secure PHP scripts (validating all user input) to avoid xss attacks.

2. SQL injection - It is a vulnerability in the database layer of an php application. When user input is incorrectly filtered any SQL statements can be executed by the application. You can configure Apache and write secure code (validating and escaping all user input) to avoid SQL injection attacks. A common practice in PHP is to escape parameters using the function called mysql_real_escape_string() before sending the SQL query.
Spoofing

3. File uploads - It allows your visitor to place files (upload files) on your server. This can result into various security problems such as delete your files, delete database, get user details and much more. You can disable file uploads using php or write secure code (like validating user input and only allow image file type such as png or gif).

4. Including local and remote files - An attacker can open files from remote server and execute any PHP code. This allows them to upload file, delete file and install backdoors. You can configure php to disable remote file execution.

5. eval() - Evaluate a string as PHP code. This is often used by an attacker to hide their code and tools on the server itself. You can configure php to disable eval().

6. Sea-surf Attack (Cross-site request forgery - CSRF) - This attack forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application.






Pages: [1]
  1. HubsInfo Network
  2. General discussions
  3. Servers and Networking [IT & Datacenter]
  4. PHP Security Best Practices
 



Linux Ubuntu Guides Linux games - Lutris.net

Follow us on 𝕏
YouTube

Partners
Web Design and SEO SimCity BuildIt Database Gaming Sites, Private Servers Lineage 2 servers | L2 Scarlet Lineage 2 Fafurion server WoW Database and Guides